def test_14_send_to_adminrealm(self):
# setup realms
self.setUp_user_realms()
r = add_smtpserver(identifier="myserver", server="1.2.3.4", tls=False)
self.assertTrue(r > 0)
smtpmock.setdata(response={"*****@*****.**": (200, "OK")},
support_tls=False)
g = FakeFlaskG()
audit_object = FakeAudit()
audit_object.audit_data["serial"] = "123456"
g.logged_in_user = {"user": "******", "role": "admin", "realm": ""}
g.audit_object = audit_object
builder = EnvironBuilder(method='POST',
data={'serial': "OATH123456"},
headers={})
env = builder.get_environ()
# Set the remote address so that we can filter for it
env["REMOTE_ADDR"] = "10.0.0.1"
g.client_ip = env["REMOTE_ADDR"]
req = Request(env)
req.all_data = {"serial": "SomeSerial", "user": "******"}
req.User = User("cornelius", self.realm1)
resp = Response()
resp.data = """{"result": {"value": true},
"detail": {"registrationcode": "12345678910"}
}
"""
# send email to user in adminrealm "realm1"
# Although this is no admin realm, but this realm contains some email
# addresses.
options = {
"g": g,
"request": req,
"response": resp,
"handler_def": {
"conditions": {
"serial": "123.*"
},
"options": {
"body": "your {registrationcode}",
"emailconfig": "myserver",
"To": NOTIFY_TYPE.ADMIN_REALM,
"To " + NOTIFY_TYPE.ADMIN_REALM: "realm1"
}
}
}
un_handler = UserNotificationEventHandler()
res = un_handler.do("sendmail", options=options)
self.assertTrue(res)
def test_14_otppin_priority(self):
my_user = User("cornelius", realm="r1")
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.NONE),
priority=2)
set_policy(name="pol2",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN, ACTIONVALUE.TOKENPIN),
priority=2)
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# error because of conflicting policies
with self.assertRaises(PolicyError):
auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user)
# lower pol2 priority
set_policy(name="pol2",
priority=3)
g.policy_object.reload_from_db()
# NONE with empty PIN -> success
r = auth_otppin(self.fake_check_otp, None,
"", options=options, user=my_user)
self.assertTrue(r)
# NONE with empty PIN -> success, even if the authentication is done
# for a serial and not a user, since the policy holds for all realms
token = init_token({"type": "HOTP", "otpkey": "1234"})
r = auth_otppin(self.fake_check_otp, token,
"", options=options, user=None)
self.assertTrue(r)
# NONE with some pin -> fail
r = auth_otppin(self.fake_check_otp, None,
"some pin", options=options, user=my_user)
self.assertFalse(r)
# increase pol2 priority
set_policy(name="pol2", priority=1)
g.policy_object.reload_from_db()
r = auth_otppin(self.fake_check_otp, None,
"FAKE", options=options,
user=my_user)
self.assertTrue(r)
r = auth_otppin(self.fake_check_otp, None,
"Wrong Pin", options=options,
user=my_user)
self.assertFalse(r)
delete_policy("pol1")
delete_policy("pol2")
def test_18_challenges(self):
db_token = Token.query.filter_by(serial=self.serial1).first()
token = HotpTokenClass(db_token)
transaction_id = "123456789"
resp = token.is_challenge_response(
User(login="******", realm=self.realm1), "test123456")
self.assertFalse(resp, resp)
C = Challenge(self.serial1,
transaction_id=transaction_id,
challenge="Who are you?")
C.save()
resp = token.is_challenge_response(
User(login="******", realm=self.realm1),
"test123456",
options={"transaction_id": transaction_id})
self.assertTrue(resp, resp)
# test if challenge is valid
self.assertTrue(C.is_valid())
def test_17_check_nonascii_user(self):
realm = u"sqlrealm"
resolver = u"SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(
User(login=u"nönäscii", realm=realm).check_password("wrong"))
self.assertTrue(
User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
# check proper unicode() and str() handling
user_object = User(login=u"nönäscii", realm=realm)
if six.PY2:
self.assertEqual(unicode(user_object), u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(str(user_object),
'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
else:
self.assertEqual(six.text_type(user_object),
u'<nönäscii.SQL1@sqlrealm>')
self.assertEqual(
six.text_type(user_object).encode('utf8'),
b'<n\xc3\xb6n\xc3\xa4scii.SQL1@sqlrealm>')
# also check the User object representation
user_repr = repr(user_object)
if six.PY2:
self.assertEqual(
"User(login=u'n\\xf6n\\xe4scii', "
"realm=u'sqlrealm', resolver=u'SQL1')", user_repr, user_repr)
else:
self.assertEqual(
"User(login='******', "
"realm='sqlrealm', resolver='SQL1')", user_repr, user_repr)
def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
try:
user = get_token_owner(serial) or User()
except Exception as exx:
user = User()
# This can happen for orphaned tokens.
log.info("Could not determine tokenowner for {0!s}. Maybe the "
"user does not exist anymore.".format(serial))
log.debug(exx)
# If the user does not exist, we set an empty user
if not user.exist():
user = User()
return user
def create_token(serial, username):
app = create_app(config_name="production",
config_file="/etc/privacyidea/pi.cfg",
silent=True)
with app.app_context():
# Set global values
params = {"type": TOKENTYPE}
if username:
user = User(username, REALM)
else:
user = User()
if serial:
params["serial"] = serial
password = generate_password(size=PW_LEN, characters=BASE58)
params["otplen"] = PW_LEN
params["otpkey"] = password
tok = init_token(params, user)
return tok.token.serial, password
def test_04_user_can_not_lost_another_token(self):
self.authenticate_selfservice_user()
assign_token(self.foreign_serial, User("cornelius", self.realm1))
with self.app.test_request_context('/token/lost/{0!s}'.format(
self.foreign_serial),
method='POST',
headers={'Authorization':
self.at_user}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
def test_41_get_tokens_paginate(self):
# create some tokens
for serial in ["S1", "S2", "S3", "A8", "B", "X"]:
init_token({
"serial": serial,
"type": "hotp",
"otpkey": self.otpkey,
"realm": self.realm1
})
token_count = 15
# return pagination
tokens = get_tokens_paginate(sortby=Token.serial, page=1, psize=5)
self.assertTrue(
len(tokens.get("tokens")) == 5, len(tokens.get("tokens")))
self.assertEqual(tokens.get("count"), token_count)
self.assertTrue(tokens.get("next") == 2, tokens.get("next"))
self.assertTrue(tokens.get("prev") is None, tokens.get("prev"))
tokens = get_tokens_paginate(sortby=Token.serial, page=2, psize=5)
self.assertEqual(len(tokens.get("tokens")), 5)
self.assertEqual(tokens.get("count"), token_count)
self.assertEqual(tokens.get("next"), 3)
self.assertEqual(tokens.get("prev"), 1)
tokens = get_tokens_paginate(sortby=Token.serial, page=3, psize=5)
self.assertEqual(len(tokens.get("tokens")), 4)
self.assertEqual(tokens.get("count"), token_count)
self.assertEqual(tokens.get("next"), None)
self.assertEqual(tokens.get("prev"), 2)
# Test filtering and sorting
tokens = get_tokens_paginate(assigned=True, page=1)
self.assertTrue(
len(tokens.get("tokens")) == 2, len(tokens.get("tokens")))
self.assertTrue(tokens.get("count") == 2, tokens.get("count"))
self.assertTrue(tokens.get("next") is None, tokens.get("next"))
self.assertTrue(tokens.get("prev") is None, tokens.get("prev"))
tokens = get_tokens_paginate(sortby=Token.serial,
page=1,
sortdir="desc")
self.assertTrue(len(tokens.get("tokens")), token_count - 1)
self.assertEqual(tokens.get("count"), token_count)
self.assertTrue(tokens.get("next") is None, tokens.get("next"))
self.assertTrue(tokens.get("prev") is None, tokens.get("prev"))
# Test to retrieve tokens of user cornelius
tokens = get_tokens_paginate(user=User("cornelius", "realm1"))
self.assertTrue(
len(tokens.get("tokens")) == 2, len(tokens.get("tokens")))
# test to retrieve tokens with not strict serial matching
tokens = get_tokens_paginate(serial="hotp*")
self.assertTrue(
len(tokens.get("tokens")) == 1, len(tokens.get("tokens")))
def test_19_smstext(self):
# The single quotes in the smstext "'Your <otp>'" is legacy and results in
# the string without single quotes "Your <otp>".
smstext_tests = {
"'Your <otp>'": r"Your [0-9]{6}",
"Your <otp>": r"Your [0-9]{6}",
"{user} has the OTP: {otp}": r"Cornelius has the OTP: [0-9]{6}"
}
for pol_text, result_text in smstext_tests.items():
# create a SMSTEXT policy:
p = set_policy(name="smstext",
action="{0!s}={1!s}".format(SMSACTION.SMSTEXT,
pol_text),
scope=SCOPE.AUTH)
self.assertTrue(p > 0)
g = FakeFlaskG()
P = PolicyClass()
g.audit_object = FakeAudit()
g.policy_object = P
options = {"g": g, "user": User("cornelius", self.realm1)}
responses.add(responses.POST,
self.SMSHttpUrl,
body=self.success_body)
set_privacyidea_config("sms.providerConfig",
self.SMSProviderConfig)
db_token = Token.query.filter_by(serial=self.serial1).first()
token = SmsTokenClass(db_token)
c = token.create_challenge(options=options)
self.assertTrue(c[0], c)
display_message = c[1]
self.assertEqual(display_message, _("Enter the OTP from the SMS:"))
self.assertEqual(c[3].get("state"), None)
smstext = token._get_sms_text(options)
self.assertEqual(pol_text.strip("'"), smstext)
r, message = token._send_sms(smstext, options)
self.assertRegexpMatches(message, result_text)
# Test AUTOSMS
p = set_policy(name="autosms",
action=SMSACTION.SMSAUTO,
scope=SCOPE.AUTH)
self.assertTrue(p > 0)
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
r = token.check_otp(self.valid_otp_values[5 + len(smstext_tests)],
options=options)
self.assertTrue(r > 0, r)
def test_16_init_detail(self):
db_token = Token.query.filter_by(serial=self.serial2).first()
token = MotpTokenClass(db_token)
token.add_init_details("otpkey", "11223344556677889900")
token.set_user(User(login="******",
realm=self.realm1))
token.save()
self.assertTrue(token.token.resolver_type == "passwdresolver",
token.token.resolver_type)
self.assertTrue(token.token.resolver == self.resolvername1,
token.token.resolver)
self.assertTrue(token.token.user_id == "1000",
token.token.user_id)
user_object = token.user
self.assertTrue(user_object.login == "cornelius",
user_object)
self.assertTrue(user_object.resolver == self.resolvername1,
user_object)
detail = token.get_init_detail()
self.assertTrue("otpkey" in detail, detail)
# but the otpkey must not be written to token.token.info (DB)
# As this only writes the OTPkey to the internal init_details dict
self.assertTrue("otpkey" not in token.token.get_info(),
token.token.get_info())
# Now get the Token2 URL, which we only
# get, if a user is specified.
detail = token.get_init_detail(user=User("cornelius",
self.realm1))
self.assertTrue("otpkey" in detail, detail)
otpkey = detail.get("otpkey")
self.assertTrue("img" in otpkey, otpkey)
self.assertTrue("motpurl" in detail, detail)
motpurl = detail.get("motpurl").get("value")
self.assertTrue(motpurl == 'motp://privacyidea:mylabel?'
'secret=11223344556677889900', motpurl)
self.assertRaises(Exception, token.set_init_details, "unvalid value")
token.set_init_details({"detail1": "value1"})
self.assertTrue("detail1" in token.get_init_details(),
token.get_init_details())
def reassign_token(serial, username):
app = Flask(__name__, static_folder="static",
template_folder="static/templates")
app.config.from_pyfile("/etc/privacyidea/pi.cfg", silent=True)
db = SQLAlchemy()
db.init_app(app)
with app.app_context():
# Set global values
unassign_token(serial)
assign_token(serial, User(username, NEW_REALM))
def test_10_check_user_password(self):
(added, failed) = set_realm("passwordrealm", [self.resolvername3])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
self.assertTrue(
User(login="******",
realm="passwordrealm").check_password("test"))
self.assertFalse(
User(login="******",
realm="passwordrealm").check_password("wrong"))
self.assertFalse(
User(login="******",
realm="passwordrealm").check_password("wrong"))
# test cornelius@realm2, since he is located in more than one
# resolver.
self.assertEqual(
User(login="******", realm="realm2").check_password("test"),
None)
def test_17_check_nonascii_user(self):
realm = "sqlrealm"
resolver = "SQL1"
parameters = self.parameters
parameters["resolver"] = resolver
parameters["type"] = "sqlresolver"
rid = save_resolver(parameters)
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm(realm, [resolver])
self.assertEqual(len(failed), 0)
self.assertEqual(len(added), 1)
# check non-ascii password of non-ascii user
self.assertFalse(
User(login=u"nönäscii", realm=realm).check_password("wrong"))
self.assertTrue(
User(login=u"nönäscii",
realm=realm).check_password(u"sömepassword"))
def test_07_login_mode(self):
# a realm: cornelius@r1: PW: test
def check_webui_user_userstore(user_obj, password,
options=None, superuser_realms=None,
check_otp=False):
self.assertEqual(check_otp, False)
def check_webui_user_privacyidea(user_obj, password,
options=None, superuser_realms=None,
check_otp=False):
self.assertEqual(check_otp, True)
user_obj = User("cornelius", "r1")
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# No policy, the function is called with check_otp=False
login_mode(check_webui_user_userstore, user_obj, "",
options=options, superuser_realms="", check_otp=False)
set_policy(name="pol2",
scope=SCOPE.WEBUI,
action="{0!s}={1!s}".format(ACTION.LOGINMODE, LOGINMODE.PRIVACYIDEA))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# Policy is set, the function is called with check_otp=True
login_mode(check_webui_user_privacyidea, user_obj, "",
options=options, superuser_realms="", check_otp=False)
# Set policy, so that the user is not allowed to login at all
set_policy(name="pol2",
scope=SCOPE.WEBUI,
action="{0!s}={1!s}".format(ACTION.LOGINMODE, LOGINMODE.DISABLE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# Policy is set. Trying to login raises a policy error
self.assertRaises(PolicyError, login_mode,
check_webui_user_privacyidea, user_obj, "",
options=options, superuser_realms="",
check_otp=False)
delete_policy("pol2")
def test_02_get_auth_item(self):
serial = "ssh1"
# create realm
self.setUp_user_realms()
user = User("cornelius", realm=self.realm1)
# create ssh token
init_token({"serial": serial, "type": "sshkey", "sshkey": SSHKEY},
user=user)
auth_item = SSHApplication.get_authentication_item("sshkey", serial)
self.assertEqual(auth_item.get("sshkey"), SSHKEY)
self.assertEqual(auth_item.get("username"), "cornelius")
def test_00_create_realms(self):
self.setUp_user_realms()
# create a token and assign it to the user
db_token = Token(self.serials[0], tokentype="hotp")
db_token.update_otpkey(self.otpkey)
db_token.save()
token = HotpTokenClass(db_token)
self.assertTrue(token.token.serial == self.serials[0], token)
token.set_user(User("cornelius", self.realm1))
token.set_pin("pin")
self.assertTrue(token.token.user_id == "1000", token.token.user_id)
def test_02_userstore_password(self):
# create a realm, where cornelius has a password test
rid = save_resolver({
"resolver": "myreso",
"type": "passwdresolver",
"fileName": PWFILE2
})
self.assertTrue(rid > 0, rid)
(added, failed) = set_realm("r1", ["myreso"])
self.assertTrue(len(failed) == 0)
self.assertTrue(len(added) == 1)
# now create a policy with userstore PW
set_policy(name="pol1",
scope=SCOPE.AUTH,
action="{0!s}={1!s}".format(ACTION.OTPPIN,
ACTIONVALUE.USERSTORE))
g = FakeFlaskG()
P = PolicyClass()
g.policy_object = P
g.audit_object = FakeAudit()
options = {"g": g}
# Wrong password
r = auth_otppin(self.fake_check_otp,
None,
"WrongPW",
options=options,
user=User("cornelius", realm="r1"))
self.assertFalse(r)
# Correct password from userstore: "test"
r = auth_otppin(self.fake_check_otp,
None,
"test",
options=options,
user=User("cornelius", realm="r1"))
self.assertTrue(r)
delete_policy("pol1")
def test_11_cache_expiration(self):
# delete user_cache
r = delete_user_cache()
self.assertTrue(r >= 0)
# populate the cache with artificial, somewhat "old", but still relevant data
timestamp = datetime.now() - timedelta(seconds=300)
UserCache("hans1", "hans1", "resolver1", "uid1", timestamp).save()
UserCache("hans2", "hans2", "resolver1", "uid2", timestamp).save()
# check that the cache is indeed queried
self.assertEqual(get_username("uid1", "resolver1"), "hans1")
self.assertEqual(User("hans2", "realm1", "resolver1").uid, "uid2")
# check that the (non-existent) resolver is queried
# for entries not contained in the cache
self.assertEqual(get_username("uid3", "resolver1"), "")
# TODO: Interestingly, if we mock `datetime` here to increase the time by one
# day, this test works, but a subsequent test (test_ui_certificate) will fail
# with weird error messages. So we do not use the datetime mock for now.
#with self._patch_datetime_now('privacyidea.lib.usercache.datetime.datetime') as mock_datetime:
with patch('privacyidea.lib.usercache.get_cache_time'
) as mock_get_cache_time:
# Instead, we just decrease the cache time from 600 to 60 seconds,
# which causes the entries above to be considered expired
mock_get_cache_time.return_value = timedelta(seconds=60)
# check that the cached entries are not queried anymore
self.assertEqual(UserCache.query.count(), 2)
self.assertEqual(get_username("uid1", "resolver1"), "")
with self.assertRaises(UserError):
User("hans2", "realm1", "resolver1")
self.assertEqual(get_username("uid3", "resolver1"), "")
# We add another, "current" entry
UserCache("hans4", "hans4", "resolver1", "uid4",
datetime.now()).save()
self.assertEqual(UserCache.query.count(), 3)
# we now remove old entries, only the newest remains
delete_user_cache(expired=True)
self.assertEqual(UserCache.query.count(), 1)
self.assertEqual(UserCache.query.one().user_id, "uid4")
# clean up
delete_user_cache()
def test_03a_api_authenticate_fail(self):
# This tests the failed to communicate to the firebase service
self.setUp_user_realms()
# get enrolled push token
toks = get_tokens(tokentype="push")
self.assertEqual(len(toks), 1)
tokenobj = toks[0]
# set PIN
tokenobj.set_pin("pushpin")
tokenobj.add_user(User("cornelius", self.realm1))
# We mock the ServiceAccountCredentials, since we can not directly contact the Google API
with mock.patch(
'privacyidea.lib.smsprovider.FirebaseProvider.ServiceAccountCredentials'
) as mySA:
# alternative: side_effect instead of return_value
mySA.from_json_keyfile_name.return_value = myCredentials(
myAccessTokenInfo("my_bearer_token"))
# add responses, to simulate the failing communication (status 500)
responses.add(
responses.POST,
'https://fcm.googleapis.com/v1/projects/test-123456/messages:send',
body="""{}""",
status=500,
content_type="application/json")
# Send the first authentication request to trigger the challenge
with self.app.test_request_context('/validate/check',
method='POST',
data={
"user": "******",
"realm": self.realm1,
"pass": "******"
}):
res = self.app.full_dispatch_request()
self.assertTrue(res.status_code == 400, res)
jsonresp = res.json
self.assertFalse(jsonresp.get("result").get("status"))
self.assertEqual(
jsonresp.get("result").get("error").get("code"), 401)
self.assertEqual(
jsonresp.get("result").get("error").get("message"),
"ERR401: Failed to submit "
"message to firebase service.")
# Our ServiceAccountCredentials mock has been called once, because no access token has been fetched before
self.assertEqual(len(mySA.from_json_keyfile_name.mock_calls), 1)
self.assertIn(FIREBASE_FILE,
get_app_local_store()["firebase_token"])
def test_02_check_recoverycode(self):
smtpmock.setdata(response={"*****@*****.**": (200, "OK")})
recoverycode = "reccode"
user = User("cornelius", self.realm1)
r = create_recoverycode(user, recoverycode=recoverycode)
self.assertEqual(r, True)
r = check_recoverycode(user, recoverycode)
self.assertEqual(r, True)
# The recovery code is not valid a second time
r = check_recoverycode(user, recoverycode)
self.assertEqual(r, False)
def test_18_challenges(self):
db_token = Token.query.filter_by(serial=self.serial1).first()
token = TokenClass(db_token)
transaction_id = "123456789"
db_token.set_pin("test")
# No challenge request
req = token.is_challenge_request(
"test", User(login="******", realm=self.realm1))
self.assertFalse(req, req)
# A challenge request
req = token.is_challenge_request(
"test", User(login="******", realm=self.realm1),
{"data": "a challenge"})
self.assertTrue(req, req)
resp = token.is_challenge_response(
User(login="******", realm=self.realm1), "test123456")
self.assertFalse(resp, resp)
resp = token.is_challenge_response(
User(login="******", realm=self.realm1),
"test123456",
options={"transaction_id": transaction_id})
# The token has not DB entry in the challenges table
self.assertFalse(resp)
# Create a challenge
C = Challenge(serial=self.serial1,
transaction_id=transaction_id,
challenge="12")
C.save()
resp = token.is_challenge_response(
User(login="******", realm=self.realm1),
"test123456",
options={"transaction_id": transaction_id})
self.assertTrue(resp)
# test if challenge is valid
self.assertTrue(C.is_valid())
def test_24_challenge_text(self):
g = FakeFlaskG()
g.client_ip = "10.0.0.1"
options = {"g": g,
"user": User("cornelius", self.realm1)}
set_policy("chaltext", scope=SCOPE.AUTH, action="{0!s}=Wo du wolle?".format(ACTION.CHALLENGETEXT))
g.policy_object = PolicyClass()
val = get_action_values_from_options(SCOPE.AUTH, ACTION.CHALLENGETEXT, options)
self.assertEqual(val, u"Wo du wolle?")
delete_policy("chaltext")
def test_02_set_user(self):
db_token = Token.query.filter_by(serial=self.serial1).first()
token = TokenClass(db_token)
self.assertTrue(token.token.tokentype == "newtype",
token.token.tokentype)
self.assertTrue(token.type == "newtype", token.type)
token.add_user(User(login="******", realm=self.realm1))
user_object = token.user
self.assertTrue(user_object.login == "cornelius", user_object)
self.assertTrue(user_object.resolver == self.resolvername1,
user_object)
def before_request():
"""
This is executed before the request
"""
ensure_no_config_object()
request.all_data = get_all_params(request)
privacyidea_server = current_app.config.get("PI_AUDIT_SERVERNAME") or \
request.host
g.policy_object = PolicyClass()
g.audit_object = getAudit(current_app.config)
g.event_config = EventConfiguration()
# access_route contains the ip adresses of all clients, hops and proxies.
g.client_ip = get_client_ip(request,
get_from_config(SYSCONF.OVERRIDECLIENT))
# Save the HTTP header in the localproxy object
g.request_headers = request.headers
g.serial = getParam(request.all_data, "serial", default=None)
g.audit_object.log({
"success":
False,
"client":
g.client_ip,
"client_user_agent":
request.user_agent.browser,
"privacyidea_server":
privacyidea_server,
"action":
"{0!s} {1!s}".format(request.method, request.url_rule),
"action_detail":
"",
"info":
""
})
username = getParam(request.all_data, "username")
if username:
# We only fill request.User, if we really have a username.
# On endpoints like /auth/rights, this is not available
loginname, realm = split_user(username)
# overwrite the split realm if we have a realm parameter. Default back to default_realm
realm = getParam(request.all_data, "realm",
default=realm) or realm or get_default_realm()
# Prefill the request.User. This is used by some pre-event handlers
try:
request.User = User(loginname, realm)
except Exception as e:
request.User = None
log.warning(
u"Problem resolving user {0!s} in realm {1!s}: {2!s}.".format(
loginname, realm, e))
log.debug(u"{0!s}".format(traceback.format_exc()))
def assign_user(resolver, realm, username, email, givenname, surname, serial, pin):
app = create_app(config_name="production",
config_file="/etc/privacyidea/pi.cfg",
silent=True)
with app.app_context():
# User operations
try:
print("+ Processing user {0!s} in {1!s}/{2!s}.".format(username, resolver, realm))
user_obj = User(username, realm, resolver=resolver)
except UserError as err:
sys.stderr.write(" +-- Failed finding user: {0!s}.\n".format(err))
return
if not user_obj.exist():
print(" +- Creating user {0!s} in {1!s}/{2!s}.".format(username, resolver, realm))
try:
create_user(resolver, {"username": username,
"email": email,
"givenname": givenname,
"surname": surname}, password="")
user_obj = User(username, realm, resolver=resolver)
except UserError as err:
sys.stderr.write("+-- Failed to create user: {0!s}.\n".format(err))
return
except Exception as err:
sys.stderr.write("+-- Failed to create user: {0!s}.\n".format(err))
return
# Token operations
try:
print(" +- Processing token {0!s}".format(serial))
t = assign_token(serial, user_obj, pin)
print(" +-- Assigned token to user {0!s}.".format(user_obj))
except TokenAdminError as err:
sys.stderr.write(" +-- Failed assigning token {0!s}: {1!s}.\n".format(serial, err))
except ResourceNotFoundError as err:
sys.stderr.write(" +-- Failed assigning token {0!s}: {1!s}.\n".format(serial, err))
def test_02_set_user(self):
db_token = Token.query.filter_by(serial=self.serial1).first()
token = TotpTokenClass(db_token)
self.assertTrue(token.token.tokentype == "totp", token.token.tokentype)
self.assertTrue(token.type == "totp", token.type)
token.add_user(User(login="******", realm=self.realm1))
self.assertEqual(token.token.first_owner.resolver, self.resolvername1)
self.assertEqual(token.token.first_owner.user_id, "1000")
user_object = token.user
self.assertTrue(user_object.login == "cornelius", user_object)
self.assertTrue(user_object.resolver == self.resolvername1,
user_object)
def test_04_user_can_not_delete_another_token(self):
self.authenticate_selfservice_user()
assign_token(self.foreign_serial, User("cornelius", self.realm1))
with self.app.test_request_context('/token/{0!s}'.format(self.foreign_serial),
method='DELETE',
headers={'Authorization':
self.at_user}):
res = self.app.full_dispatch_request()
self.assertEqual(res.status_code, 404)
response = json.loads(res.data.decode('utf8'))
self.assertFalse(response["result"]["status"])
# check if the token still exists!
tokenobject_list = get_tokens(serial=self.foreign_serial)
self.assertTrue(len(tokenobject_list) == 1, len(tokenobject_list))
def test_18_user_with_several_phones(self):
ldap3mock.setLDAPDirectory(LDAPDirectory_small)
params = ({
'LDAPURI':
'ldap://localhost',
'LDAPBASE':
'o=test',
'BINDDN':
'cn=manager,ou=example,o=test',
'BINDPW':
'ldaptest',
'LOGINNAMEATTRIBUTE':
'cn',
'LDAPSEARCHFILTER':
'(|(cn=*))', # we use this weird search filter to get a unique resolver ID
'USERINFO':
'{ "username": "******",'
'"phone" : "telephoneNumber", '
'"mobile" : "mobile"'
', "email" : "mail", '
'"surname" : "sn", '
'"givenname" : "givenName" }',
'UIDTYPE':
'objectGUID',
'NOREFERRALS':
True,
'CACHE_TIMEOUT':
0
})
params["resolver"] = "ldapresolver"
params["type"] = "ldapresolver"
rid = save_resolver(params)
self.assertTrue(rid > 0)
(added, failed) = set_realm("ldap", ["ldapresolver"])
self.assertEqual(len(added), 1)
self.assertEqual(len(failed), 0)
u = User("salesman", "ldap")
# get the complete list
r = u.get_user_phone("mobile")
self.assertEqual(r, ["1234", "3456"])
# get the first entry
r = u.get_user_phone("mobile", index=0)
self.assertEqual(r, "1234")
# Index out of range
r = u.get_user_phone("mobile", index=2)
self.assertEqual(r, "")
delete_realm("ldap")
delete_resolver("ldapresolver")
def test_01_tiqr(self):
init_token({"serial": "TIQR1",
"type": "tiqr"}, User("cornelius", self.realm1))
with self.app.test_request_context('/ttype/tiqr',
method='POST',
data={"action": "metadata",
"serial": "TIQR1",
"session": "12345"}):
res = self.app.full_dispatch_request()
data = json.loads(res.data.decode('utf8'))
identity = data.get("identity")
service = data.get("service")
self.assertEqual(identity.get("displayName"), "Cornelius ")
self.assertEqual(service.get("displayName"), "privacyIDEA")
def _get_tokenowner(request):
user = request.User
serial = request.all_data.get("serial")
if user.is_empty() and serial:
# maybe the user is empty, but a serial was passed.
# Then we determine the user by the serial
try:
user = get_token_owner(serial) or User()
except Exception as exx:
user = User()
# This can happen for orphaned tokens.
log.info("Could not determine tokenowner for {0!s}. Maybe the "
"user does not exist anymore.".format(serial))
log.debug(exx)
# We now check, if the user exists at all!
try:
ui = user.info
except UserError as exx:
if exx.id == 905:
user = User()
else:
raise exx
return user
